Java Security

SAST/DAST/SCA w/ VS Code, Burp Suite Pro & Veracode

Introduction

This posting demonstrates how to detect and remediate all 25 entries from the 2023 CWE Top 25 in Java applications. We’ll use:

• SAST: SpotBugs, SonarQube, Veracode Static Analysis
• DAST: OWASP ZAP, Burp Suite Professional
• SCA: Veracode SCA
• IDE: VS Code with integrated tooling

Toolchain Configuration

1. SAST Tools

SpotBugs + FindSecBugs

<!-- Maven Plugin -->
<plugin>
  <groupId>com.github.spotbugs</groupId>
  <artifactId>spotbugs-maven-plugin</artifactId>
  <version>4.7.3</version>
  <configuration>
    <plugins>
      <plugin>
        <groupId>com.h3xstream.findsecbugs</groupId>
        <artifactId>findsecbugs-plugin</artifactId>
        <version>1.12.0</version>
      </plugin>
    </plugins>
  </configuration>
</plugin>

Veracode Static Analysis

# Veracode Pipeline Scan
java -jar veracode-static-analysis.jar -vid $VERACODE_ID -vkey $VERACODE_KEY -f app.jar

2. DAST Tools

Burp Suite Professional Configuration

1. Proxy Setup:

   // Java VM Args for Burp Proxy
   -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8080
   

2. Scan Policy:
   • Configure custom insertion points for API endpoints
   • Enable “Active Scan” for business logic flaws

OWASP ZAP Automation

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable \
  zap-full-scan.py -t https://app:8080 -g gen.conf -r report.html

Comprehensive CWE Top 25 Remediation

1. CWE-787: Out-of-Bounds Write

Vulnerability Examples

// Example 1: Array Index Violation
int[] buffer = new int[10];
buffer[userInput] = 1; // No bounds check

// Example 2: ByteBuffer Overflow
ByteBuffer.allocate(10).put(new byte[20], 0, 20);

Detection

• Veracode: “Array Index Out of Bounds” (CWE ID 787)
• SpotBugs: RV_ABSOLUTE_VALUE_OF_RANDOM_INT
• Burp Suite: Fuzz with negative/oversized indices

Remediation

// Fixed Example 1
if (userInput >= 0 && userInput < buffer.length) {
  buffer[userInput] = 1;
}

// Fixed Example 2
ByteBuffer buffer = ByteBuffer.allocate(10);
if (input.length <= buffer.remaining()) {
  buffer.put(input, 0, input.length);
}

2. CWE-79: XSS

Vulnerability Examples

// Example 1: JSP Direct Output
<%= request.getParameter("search") %>

// Example 2: JavaScript Injection
String userInput = request.getParameter("data");
out.println("<script>var data = '" + userInput + "';</script>");

Detection

• Veracode: “Cross-Site Scripting: DOM” (CWE ID 79)
• FindSecBugs: XSS_REQUEST_PARAMETER_TO_JSP_WRITER
• Burp Suite: Inject <svg/onload=alert(1)> and monitor DOM

Remediation

// Fixed Example 1: JSTL
<c:out value="${param.search}" />

// Fixed Example 2: OWASP Java Encoder
out.println("<script>var data = '" + Encode.forJavaScript(userInput) + "';</script>");

3. CWE-89: SQL Injection

Vulnerability Examples

// Example 1: Concatenated Query
String query = "SELECT * FROM users WHERE id = " + userInput;

// Example 2: ORM Injection
@Query("SELECT u FROM User u WHERE u.id = " + "#{[0]}")
List<User> findById(String id);

Detection

• Veracode: “SQL Injection” (CWE ID 89)
• SpotBugs: SQL_INJECTION_JDBC
• ZAP: SQLi test with ' OR 1=1--

Remediation

// Fixed Example 1: PreparedStatement
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
stmt.setString(1, userInput);

// Fixed Example 2: JPA Positional Parameter
@Query("SELECT u FROM User u WHERE u.id = ?1")
List<User> findById(String id);

4. CWE-502: Unsafe Deserialization

Vulnerability Examples

// Example 1: Direct Deserialization
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject();

// Example 2: JSON Polymorphic Types
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
abstract class Payload {}

Detection

• Veracode: “Unsafe Deserialization” (CWE ID 502)
• FindSecBugs: OBJECT_DESERIALIZATION
• Burp Suite: Serialized object attack vectors

Remediation

// Fixed Example 1: ValidatingObjectInputStream
ois = new ValidatingObjectInputStream(input)
  .accept(User.class, Account.class);

// Fixed Example 2: Safe JSON Typing
@JsonTypeInfo(use = JsonTypeInfo.Id.NAME)
abstract class Payload {}

Advanced Detection Techniques

Burp Suite Pro Features

1. DOM XSS Detection:
   • Use DOM Invader to identify client-side XSS in SPAs
2. API Scanning:
   • Import OpenAPI/Swagger specs for comprehensive endpoint testing
3. Business Logic Testing:
   • Use Sequencer to test for CWE-330: Insufficient Randomness

Veracode SCA Integration

<!-- Veracode SCA Maven Plugin -->
<plugin>
  <groupId>com.veracode.vosp.api.wrappers</groupId>
  <artifactId>vosp-api-wrappers-java</artifactId>
  <version>22.6.10.0</version>
</plugin>

mvn veracode:scan

Full CWE Top 25 Coverage Matrix

CI/CD Pipeline Implementation

name: Security Pipeline

on: [push]

jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Veracode SAST
        run: java -jar veracode-wrapper.jar -vid $ -vkey $
      - name: SpotBugs
        run: mvn spotbugs:check

  dast:
    runs-on: ubuntu-latest
    needs: sast
    steps:
      - name: Start App
        run: docker-compose up -d
      - name: Burp Scan
        uses: burp/actions-scan@v1
        with:
          api-key: $
          target: http://app:8080

Conclusion

This guide provides a battle-tested approach to eliminating the CWE Top 25 in Java applications. By combining:

1. SAST (Veracode/SpotBugs) for code-level analysis
2. DAST (Burp Suite Pro/ZAP) for runtime testing
3. SCA (Veracode) for dependency checks

Teams can achieve comprehensive security coverage from development through production. The provided code samples, tool configurations, and CI/CD pipeline examples offer immediate implementation value for senior Java developers.

Next Steps:

1. Integrate Veracode into your IDE
2. Schedule weekly Burp Suite scans
3. Monitor CWE trends with Veracode’s reporting dashboard

Back to Top